tobago-core/src/main/java/org/apache/myfaces/tobago/internal/util/ResponseUtils.java - myfaces-tobago - Git at Google

 /*
  * Licensed to the Apache Software Foundation (ASF) under one
  * or more contributor license agreements.  See the NOTICE file
  * distributed with this work for additional information
  * regarding copyright ownership.  The ASF licenses this file
  * to you under the Apache License, Version 2.0 (the
  * "License"); you may not use this file except in compliance
  * with the License.  You may obtain a copy of the License at
  *
  *   http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing,
  * software distributed under the License is distributed on an
  * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
  * KIND, either express or implied.  See the License for the
  * specific language governing permissions and limitations
  * under the License.
  */

 package org.apache.myfaces.tobago.internal.util;

 import org.apache.myfaces.tobago.context.TobagoContext;
 import org.apache.myfaces.tobago.context.UserAgent;
 import org.apache.myfaces.tobago.internal.config.ContentSecurityPolicy;
 import org.apache.myfaces.tobago.internal.context.Nonce;
 import org.apache.myfaces.tobago.portlet.PortletUtils;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;

 import javax.faces.context.FacesContext;
 import javax.portlet.MimeResponse;
 import javax.servlet.http.HttpServletResponse;
 import java.lang.invoke.MethodHandles;
 import java.util.Map;

 public final class ResponseUtils {

   private static final Logger LOG = LoggerFactory.getLogger(MethodHandles.lookup().lookupClass());

   private ResponseUtils() {
     // utils class
   }

   public static void ensureNoCacheHeader(final FacesContext facesContext) {
     final Object response = facesContext.getExternalContext().getResponse();
     if (response instanceof HttpServletResponse) {
       ensureNoCacheHeader((HttpServletResponse) response);
     } else if (PortletUtils.isPortletApiAvailable() && response instanceof MimeResponse) {
       ensureNoCacheHeader((MimeResponse) response);
     }
   }

   public static void ensureNoCacheHeader(final HttpServletResponse response) {
     response.setHeader("Cache-Control", "no-cache,no-store,max-age=0,must-revalidate");
     response.setHeader("Pragma", "no-cache");
     response.setDateHeader("Expires", 0);
     response.setDateHeader("max-age", 0);
   }

   public static void ensureNoCacheHeader(final MimeResponse response) {
     // TODO validate this
     response.getCacheControl().setExpirationTime(0);
   }

   public static void ensureContentTypeHeader(final FacesContext facesContext, final String contentType) {
     final Object response = facesContext.getExternalContext().getResponse();
     if (response instanceof HttpServletResponse) {
       ensureContentTypeHeader((HttpServletResponse) response, contentType);
     } else if (PortletUtils.isPortletApiAvailable() && response instanceof MimeResponse) {
       ensureContentTypeHeader((MimeResponse) response, contentType);
     }
   }

   public static void ensureContentTypeHeader(final HttpServletResponse response, final String contentType) {
     if (!response.containsHeader("Content-Type")) {
       response.setContentType(contentType);
     } else {
       final String responseContentType = response.getContentType();
       if (!StringUtils.equalsIgnoreCaseAndWhitespace(responseContentType, contentType)) {
         response.setContentType(contentType);
         if (LOG.isDebugEnabled()) {
           LOG.debug("Response already contains Header Content-Type '" + responseContentType
               + "'. Overwriting with '" + contentType + "'");
         }
       }
     }
   }

   public static void ensureContentTypeHeader(final MimeResponse response, final String contentType) {
     final String responseContentType = response.getContentType();
     if (!StringUtils.equalsIgnoreCaseAndWhitespace(responseContentType, contentType)) {
       response.setContentType(contentType);
       if (LOG.isDebugEnabled()) {
         LOG.debug("Response already contains Header Content-Type '" + responseContentType
             + "'. Overwriting with '" + contentType + "'");
       }
     }
   }

   public static void ensureContentSecurityPolicyHeader(
       final FacesContext facesContext, final ContentSecurityPolicy contentSecurityPolicy) {
     final Object response = facesContext.getExternalContext().getResponse();
     if (response instanceof HttpServletResponse) {
       final HttpServletResponse servletResponse = (HttpServletResponse) response;
       final TobagoContext tobagoContext = TobagoContext.getInstance(facesContext);
       final UserAgent userAgent = tobagoContext.getUserAgent();
       final String[] cspHeaders;
       switch (contentSecurityPolicy.getMode()) {
         case OFF:
           cspHeaders = new String[0];
           break;
         case ON:
           cspHeaders = userAgent.getCspHeaders();
           break;
         case REPORT_ONLY:
           cspHeaders = userAgent.getCspReportOnlyHeaders();
           break;
         default:
           throw new IllegalArgumentException("Undefined mode: " + contentSecurityPolicy.getMode());
       }
       final StringBuilder builder = new StringBuilder();
       final String nonce = Nonce.getNonce(facesContext);
       for (final Map.Entry<String, String> directive : contentSecurityPolicy.getDirectiveMap().entrySet()) {
         builder.append(directive.getKey());
         builder.append(" ");
         builder.append(directive.getValue().replace("${nonce}", nonce));
         builder.append(";");
       }
       for (final String cspHeader : cspHeaders) {
         servletResponse.setHeader(cspHeader, builder.toString());
       }
     } else if (PortletUtils.isPortletApiAvailable() && response instanceof MimeResponse) {
      // TODO Portlet
       if (contentSecurityPolicy.getMode() != ContentSecurityPolicy.Mode.OFF) {
         LOG.warn("CSP not implemented for Portlet!");
       }
     }
   }

   public static void ensureNosniffHeader(final FacesContext facesContext) {
     final Object response = facesContext.getExternalContext().getResponse();
     if (response instanceof HttpServletResponse) {
       final HttpServletResponse servletResponse = (HttpServletResponse) response;
       ensureNosniffHeader(servletResponse);
     }
   }

   public static void ensureNosniffHeader(final HttpServletResponse servletResponse) {
     servletResponse.setHeader("X-Content-Type-Options", "nosniff");
   }

   public static void ensureXFrameOptionsHeader(final FacesContext facesContext) {
     final Object response = facesContext.getExternalContext().getResponse();
     if (response instanceof HttpServletResponse) {
       ((HttpServletResponse) response).setHeader("X-Frame-Options", "DENY");
     }
   }
 }
	/*
	* Licensed to the Apache Software Foundation (ASF) under one
	* or more contributor license agreements. See the NOTICE file
	* distributed with this work for additional information
	* regarding copyright ownership. The ASF licenses this file
	* to you under the Apache License, Version 2.0 (the
	* "License"); you may not use this file except in compliance
	* with the License. You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing,
	* software distributed under the License is distributed on an
	* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
	* KIND, either express or implied. See the License for the
	* specific language governing permissions and limitations
	* under the License.
	*/

	package org.apache.myfaces.tobago.internal.util;

	import org.apache.myfaces.tobago.context.TobagoContext;
	import org.apache.myfaces.tobago.context.UserAgent;
	import org.apache.myfaces.tobago.internal.config.ContentSecurityPolicy;
	import org.apache.myfaces.tobago.internal.context.Nonce;
	import org.apache.myfaces.tobago.portlet.PortletUtils;
	import org.slf4j.Logger;
	import org.slf4j.LoggerFactory;

	import javax.faces.context.FacesContext;
	import javax.portlet.MimeResponse;
	import javax.servlet.http.HttpServletResponse;
	import java.lang.invoke.MethodHandles;
	import java.util.Map;

	public final class ResponseUtils {

	private static final Logger LOG = LoggerFactory.getLogger(MethodHandles.lookup().lookupClass());

	private ResponseUtils() {
	// utils class
	}

	public static void ensureNoCacheHeader(final FacesContext facesContext) {
	final Object response = facesContext.getExternalContext().getResponse();
	if (response instanceof HttpServletResponse) {
	ensureNoCacheHeader((HttpServletResponse) response);
	} else if (PortletUtils.isPortletApiAvailable() && response instanceof MimeResponse) {
	ensureNoCacheHeader((MimeResponse) response);
	}
	}

	public static void ensureNoCacheHeader(final HttpServletResponse response) {
	response.setHeader("Cache-Control", "no-cache,no-store,max-age=0,must-revalidate");
	response.setHeader("Pragma", "no-cache");
	response.setDateHeader("Expires", 0);
	response.setDateHeader("max-age", 0);
	}

	public static void ensureNoCacheHeader(final MimeResponse response) {
	// TODO validate this
	response.getCacheControl().setExpirationTime(0);
	}

	public static void ensureContentTypeHeader(final FacesContext facesContext, final String contentType) {
	final Object response = facesContext.getExternalContext().getResponse();
	if (response instanceof HttpServletResponse) {
	ensureContentTypeHeader((HttpServletResponse) response, contentType);
	} else if (PortletUtils.isPortletApiAvailable() && response instanceof MimeResponse) {
	ensureContentTypeHeader((MimeResponse) response, contentType);
	}
	}

	public static void ensureContentTypeHeader(final HttpServletResponse response, final String contentType) {
	if (!response.containsHeader("Content-Type")) {
	response.setContentType(contentType);
	} else {
	final String responseContentType = response.getContentType();
	if (!StringUtils.equalsIgnoreCaseAndWhitespace(responseContentType, contentType)) {
	response.setContentType(contentType);
	if (LOG.isDebugEnabled()) {
	LOG.debug("Response already contains Header Content-Type '" + responseContentType
	+ "'. Overwriting with '" + contentType + "'");
	}
	}
	}
	}

	public static void ensureContentTypeHeader(final MimeResponse response, final String contentType) {
	final String responseContentType = response.getContentType();
	if (!StringUtils.equalsIgnoreCaseAndWhitespace(responseContentType, contentType)) {
	response.setContentType(contentType);
	if (LOG.isDebugEnabled()) {
	LOG.debug("Response already contains Header Content-Type '" + responseContentType
	+ "'. Overwriting with '" + contentType + "'");
	}
	}
	}

	public static void ensureContentSecurityPolicyHeader(
	final FacesContext facesContext, final ContentSecurityPolicy contentSecurityPolicy) {
	final Object response = facesContext.getExternalContext().getResponse();
	if (response instanceof HttpServletResponse) {
	final HttpServletResponse servletResponse = (HttpServletResponse) response;
	final TobagoContext tobagoContext = TobagoContext.getInstance(facesContext);
	final UserAgent userAgent = tobagoContext.getUserAgent();
	final String[] cspHeaders;
	switch (contentSecurityPolicy.getMode()) {
	case OFF:
	cspHeaders = new String[0];
	break;
	case ON:
	cspHeaders = userAgent.getCspHeaders();
	break;
	case REPORT_ONLY:
	cspHeaders = userAgent.getCspReportOnlyHeaders();
	break;
	default:
	throw new IllegalArgumentException("Undefined mode: " + contentSecurityPolicy.getMode());
	}
	final StringBuilder builder = new StringBuilder();
	final String nonce = Nonce.getNonce(facesContext);
	for (final Map.Entry<String, String> directive : contentSecurityPolicy.getDirectiveMap().entrySet()) {
	builder.append(directive.getKey());
	builder.append(" ");
	builder.append(directive.getValue().replace("${nonce}", nonce));
	builder.append(";");
	}
	for (final String cspHeader : cspHeaders) {
	servletResponse.setHeader(cspHeader, builder.toString());
	}
	} else if (PortletUtils.isPortletApiAvailable() && response instanceof MimeResponse) {
	// TODO Portlet
	if (contentSecurityPolicy.getMode() != ContentSecurityPolicy.Mode.OFF) {
	LOG.warn("CSP not implemented for Portlet!");
	}
	}
	}

	public static void ensureNosniffHeader(final FacesContext facesContext) {
	final Object response = facesContext.getExternalContext().getResponse();
	if (response instanceof HttpServletResponse) {
	final HttpServletResponse servletResponse = (HttpServletResponse) response;
	ensureNosniffHeader(servletResponse);
	}
	}

	public static void ensureNosniffHeader(final HttpServletResponse servletResponse) {
	servletResponse.setHeader("X-Content-Type-Options", "nosniff");
	}

	public static void ensureXFrameOptionsHeader(final FacesContext facesContext) {
	final Object response = facesContext.getExternalContext().getResponse();
	if (response instanceof HttpServletResponse) {
	((HttpServletResponse) response).setHeader("X-Frame-Options", "DENY");
	}
	}
	}